Secure Access Control for Cloud Storage
Emerging storage cloud systems provide storage services to millions of geographically-distributed clients. A secure access control mechanism is a crucial prerequisite for enabling clients to entrust their data to such a cloud services. The sheer scale of the cloud and the new usage scenarios that accompany it form new challenges in the design of such access control systems.
Access control selectively controls who can access and manipulate information. The setting of cloud storage introduces new requirements for an access control mechanism, including: (1) secure chaining of services while keeping track of the access rights of the client at the end of the chain, preserving the principle of "least privilege"; (2) user-to-user access delegation; and (3) scalability and high availability. Analyzing how existing systems satisfy these requirements, we observed that today's cloud solutions fall short in satisfying all of the above requirements simultaneously.
We developed a capability-based model that addresses these requirements without compromising the system's security, scalability, or availability. Extending previous capability-based access control models, we introduce the following innovations:
- Supporting a fully distributed architecture, with no single component that contains all the information about all the objects in the storage cloud.
- Fine-grained and dynamic scope of access control.
- User-to-user delegation.
- Mechanisms for auditing and access confinement that serve as a basis for accountability, compliance, and billing.
Our model has been prototyped and illustrated with two use cases: a healthcare scenario, in which a patient gives an external doctor access to her medical records, and a social networking application. Figure 1 illustates a scenario of the social networking application, in which Alice uploads photos and delegates access based on policies.
Fig. 1. Delegation chaining. Examples of user-to-user and user-to-application delegation: (1) Alice creates a personal repository in a storage cloud. She has full control over her namespace named Alice photos. (2) Alice delegates access to photos containing "2008" or "2009" in their title to her social networking application (granting read and add permission). (3) According to a policy defined by Alice, the social networking service further delegates access to Bob, allowing him to add photos to the namespace Alice_photos. Note that two options exist for generating the credential granted to Bob. It can be either created by Alice or generated by the social networking application. (4) Alice delegates access to her photo sharing application by generating a credential with the read access to photos matching the pattern /200/, which include the photos uploaded by Bob as well.